I have a successfully working Spring 4 MVC project with lots of RESTful web-services on the back-end. We use Hibernate 5 and Spring Security 4 as well.
1) We authenticate users from a third-party source, OpenAM 10.x, and this creates a token in the browser.
2) From the front-end, we pass in the Ajax call a request header which contains that OpenAM token.
3) In the back-end, using the SiteMinder example, have a service: CustomUserDetailsService which does the following: a) this uses our code to openAM and pass in the token b) we get back JSON data we parse to get the username c) from there we use the Hibernate Spring Security code to get further details for this user and get the roles
System.out.println("loadUserByUsername: username : " + username);
UserAccountEntity userAccountEntity = userAccountDao.getByUsername(username);
System.out.println("loadUserByUsername: userAccountEntity : " + userAccountEntity);
if (userAccountEntity == null)
{
System.out.println("CustomUserDetailsService: userAccountEntity not found");
throw new UsernameNotFoundException("Username not found");
}
System.out.println("CustomUserDetailsService: START: springframework.user");
// this "User" object is: org.springframework.security.core.userdetails.User
User user = new User(userAccountEntity.getUsername(), userAccountEntity.getPassword(), true, true, true, true,
getGrantedAuthorities(userAccountEntity));
From here, we have working security on the URL endpoints ... this works great!
Now, here is the problem ... my boss wants to use our custom proprietary ACL system to make secure query calls. Making a call to get records, we want to make sure we get only the records the user has access to. We have our own ACL tables that allow us security for a user or role to certain objects. Suffice it to say, this was written before Spring Security ACL ever existed. I'd prefer to use Spring Security 4 ACL, but that is out of the question.
Consider that we have 4 levels, Entity, Dao, Services, Web-Services. A Single controller looks like this:
@RequestMapping(value = "", method = RequestMethod.GET, headers = "Accept=application/json")
public @ResponseBody ArrayList<SponsorEntity> getSponsorList1() {
Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
User user = null;
if (principal instanceof User)
{
user = ((User) principal);
}
ArrayList<SponsorEntity> sponsorEntityList = (ArrayList) service.getAllList();
return sponsorEntityList;
}
Like I said, this goes through the CustomUserDetailsService and sets the User as defined above. So, the first questions is, in the DAO layer, what is the code I would use to pull this org.springframework.security.core.userdetails.User?
If I can get this User object from the DAO layer, then I can "pipe" that username into our old existing legacy code.
The second question ... in a DAO Unit Test, how can I create/setup this Security? This way I can test to see if my back-end code is really getting the username from an authenticated user.
Please let me know if you need any more information. Thanks!
Aucun commentaire:
Enregistrer un commentaire